2 Answers
2

I'm considering switching to ECDSA, would this require less space with the same level of encryption?

The answer to that question is yes, both ECDSA signatures and public keys are much smaller than RSA signatures and public keys of similar security levels. If you compare a 192-bit ECDSA curve compared to a 1k RSA key (which are roughly the same security level; the 192-bit ECDSA curve is probably a bit stronger); then the RSA signature and public key can be expressed in 128 bytes each (assuming that you'll willing to use a space-saving format for the public key, rather than using the standard PKCS format); the ECDSA signature would be 48 bytes, and the public key would be 25 bytes.

As you increase the required security level, the advantage tilts even more radically towards ECDSA; that's because you have to increase the RSA modulus size far faster than the ECDSA curve size to increase the security level.

And is the verification performance in the same range as RSA?

Well, no, ECDSA signature verification is slower than RSA (for reasonable security levels). That is the one place that RSA shines; you can verify RSA signatures rather faster than you can verify an ECDSA signature. According to this web page, on their test environment, 2k RSA signature verification took 0.16msec, while 256-bit ECDSA signature verification took 8.53msec (see the page for the details on the platform they were testing it). Now to be fair, this isn't quite an apples-to-apples comparison (256-bit ECDSA is probably a bit stronger than 2k RSA), but even if the difference isn't quite 50x, RSA is still faster.

I do have one question, though. You mention that you are including the RSA public key along with the signed message. Does that mean that the verifier uses that public key to verify the message? If so, how do you know that someone who wants to forge a message won't just provide his own public key along with the signature (signed using his private key)? That is, how does the receiver know that the public key he sees in the message is the one that was sent?

"Does that mean that the verifier uses that public key to verify the message?" It is used to identify the senders, so you can add them to a white-list. If someone else signs the same (or a new) message, you can see that it wasn't from the same person you whitelisted.
–
MuisJul 12 '12 at 20:35

1

@Joshua: Well, if you were concerned with message overhead, couldn't you replace the public key with some short identifier, and have the verifier map the identifier to the public key? If you could do this, you would cut the overhead for RSA about in half, without the hassle of using a different public key algorithm.
–
ponchoJul 12 '12 at 20:43

@poncho Unfortunately not, because it's a decentral system (like email), so having a central authority where users would need to sign up to have their identifiers mapped to keys, will undermine the whole concept.
–
MuisJul 12 '12 at 21:51

1

@Joshua: The hash would allow you to know when a key was the correct one, so you wouldn't have to trust anyone to provide it to you. If you didn't already have a needed key, you could obtain it by any method. (Retrieve it from a URL. Retrieve it from DNS. Retrieve it from a keyserver. Any method would do, no trust needed.)
–
David SchwartzJul 13 '12 at 15:35

For a 128 bit security level, you need 256 bit ECC. Compressed public keys need about 32 bytes, and signatures use 64 bytes.

The verification time depends a lot on the choice of curve, representation and implementation. Ed25519 Is supposed to be one of the fastest versions, especially if you use batch verification. But I'm not sure if it's possible to create a windows build of the optimized version.

It seems that ECC requires less space, but this paper (nicj.net/files/…) states "Thus, for applications requiring message verification more often than signature generation, RSA may be the better choice." And verification performance is critical in my case, so I will have to research how big the difference is.
–
MuisJul 12 '12 at 20:17

Signing, verification, and key generation are all very fast in the Ed25519 implementation.
–
joeforkerJul 13 '12 at 12:21